ci: drop GHCR/Docker publishing from build-and-publish.yml#153
Merged
Conversation
The publish-docker job used docker/login-action, a third-party action not on the Apache org's GitHub Actions allow-list. Allow-list rejection happens at workflow-parse time, before the job's 'if: github.event_name != pull_request' guard is evaluated — so the publish job (which never even runs on PRs) failed the ENTIRE workflow at startup with zero jobs, taking the build and Solr-version compatibility test jobs down with it on every push and PR. The workflow has never had a successful run. We don't publish images from this workflow, so remove the publish-docker job entirely rather than reauthenticating to a registry we don't use. It now only builds and tests (renamed 'Build and Test'); release publishing stays in release-publish.yml. Signed-off-by: adityamparikh <aditya.m.parikh@gmail.com> Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This was referenced Jun 15, 2026
epugh
pushed a commit
that referenced
this pull request
Jun 19, 2026
nightly-build.yml failed at startup on every scan (zero jobs) because of a secrets-in-if expression: 'if: ${{ secrets.APACHE_NIGHTLIES_USER != '\'''\'' }}'. The secrets context is not available in if: conditions, so GitHub rejects the workflow at parse time — a separate cause from the docker/login-action allow-list issue fixed in #153/#154.
The nightlies.apache.org upload was only a placeholder and a daily nightly pre-release isn't wanted, so remove the workflow entirely rather than fix the parse error. dev-docs/WORKFLOWS.md and dev-docs/DOCKER_PUBLISHING.md are updated to drop nightly references (dedicated section, comparison-matrix column, scenario, registry list, tagging).
Note: the 'COMPARISON WITH OTHER WORKFLOWS' header comments in build-and-publish.yml, release-publish.yml, and atr-release.yml still list nightly-build; left as-is to avoid conflicts with #153/#154 which modify the first two.
Signed-off-by: adityamparikh <aditya.m.parikh@gmail.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
epugh
pushed a commit
that referenced
this pull request
Jun 19, 2026
…s allow-list (#154) release-publish.yml authenticates to GHCR with docker/login-action, a third-party action not on the Apache org's GitHub Actions allow-list. Allow-list rejection is parse-time, so it fails the whole workflow at startup (zero jobs) the moment a release runs. The v4.2.0 (650006c6) SHA-pin from #145 does not help — that SHA is not allow-listed, unlike graalvm (329c42c), which is and is left as-is. Replace both GHCR login steps with an inline 'docker login' using the built-in GITHUB_TOKEN. The token is piped via stdin (never on the command line or in logs) and the username is read from an env var, so no untrusted value is interpolated into the run script. This removes the allow-list dependency. Companion to #153, which removed the unused publish job from build-and-publish.yml. release-publish.yml genuinely needs to publish, so it keeps the login — just inline. Signed-off-by: adityamparikh <aditya.m.parikh@gmail.com> Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
build-and-publish.ymlhas never had a successful run — it fails at startup with zero jobs executed, on every push tomainand (as attributed) on every PR.Root cause: the
publish-dockerjob usesdocker/login-action, a third‑party action that is not on the Apache org's GitHub Actions allow‑list. Allow‑list rejection happens at workflow‑parse time, before the job'sif: github.event_name != 'pull_request'guard is ever evaluated — so a publish job that wouldn't even run on PRs still takes the entire workflow down at startup, killing thebuildandsolr-compatibility(Solr‑version matrix) jobs along with it.A prior fix (#145) SHA‑pinned the action to
650006c6…(v4.2.0) on the assumption it was allow‑listed, but the workflow still never starts — unlikenative.yml, whose graalvm pin (329c42c) genuinely is allow‑listed and now runs.Fix
We do not publish images from this workflow (releases are handled by
release-publish.yml), so rather than reauthenticate to a registry we don't use, this removes the publishing entirely:publish-dockerjob (GHCR login + Jib push to GHCR/Docker Hub + summary) — this deletes the allow‑list‑blockingdocker/login-actionreference.Build and Publish→Build and Test(it no longer publishes).tags: 'v*'trigger, which existed only to publish release images.release-publish.yml/nightly-build.ymlare left intact.Net:
20 insertions, 214 deletions, one file.Result
The workflow file now parses, so the next push to
mainrunsbuild+solr-compatibility— the first green this workflow can produce. Because the (valid)on:block has nopull_requesttrigger, it will run on main pushes + manual dispatch only and stop appearing as a red ✗ on PRs; PR validation remains withci.yml.Notes
release-publish.ymlstill references the samedocker/login-action@650006c6…in two GHCR‑login steps. It's dormant (manual release trigger), so it isn't failing anything today, but it will hit the same startup failure whenever a release is run — worth a follow‑up (there the fix is an inlinedocker login, since releases do need to publish).🤖 Generated with Claude Code